Signal and Whatsapp Are Only as Private as the People You Talk To

In the show I’m in right now, there’s an scene when the less-than-pleasant Archdeacon of the Notre Dame Cathedral, Claude Frollo, tells his adopted son, Quasimodo, that “it takes two people to communicate.” But it’s not just the hunchback that forgets this lesson—I’m surprised, but not that surprised, about how easy it is to ignore this fact in everyday life.

Consider the indictment that was just handed down by the U.S. District Court for the District of Columbia against James Wolfe, a former member of the Senate Intelligence Committee. The indictment alleges that Wolfe lied to federal investigators about his communications with three different reporters—sometimes done over “anonymous” messaging applications like Signal and WhatsApp.

Between in or around September 2017 and continuing until at least in or around December 2017, REPORTER #3 and WOLFE regularly communicated with each other using the anonymizing messaging application Signal, text messages, and telephone calls.

“But wait,” you ask. “Aren’t these supposed to be secure messaging applications?”

Yes. Absolutely. Neither Signal nor WhatsApp can read the messages you send across their respective services, thanks to the encryption mechanisms built into the entire process. If either service is subpoenaed, they can’t help investigators recover messages at all (presumably), a much better situation for you and your clandestine practices than if you just straight-up text messaged your spy network over a wireless carrier’s network. (Don’t do that.)

Here’s the problem, though: If you’re dumb and you leave your messages on your device instead of deleting them, investigators can find them if they obtain physical access to your tablet or smartphone. The people you were talking to? Same deal.

And don’t forget: The party you’re “securely messaging” can also take screenshots of your conversations. If the app you’re using doesn’t warn you when this happens, a la Snapchat, or have some built-in mechanism to prevent screenshots, you’re stuck. Even if it does, a craftier person can just take out a secondary device and take a photo of the screen with your identifying information in it.

What’s a wannabe-spy to do? On Signal, consider using the service’s disappearing messages feature. Though even Signal itself notes that this won’t stop someone from taking a picture of what you sent, surely you can use other tools at your disposal—like burner phone numbers—to cleverly conceal who you are.

(Or just make a dummy email account, connect to a trustworthy VPN, fire up Tor, and send your secret, encrypted message that way—which is just an “off the top of my head” privacy suggestion. There are plenty of more advanced techniques, like dropping secret information into a SecureDrop, for example.)

As before, remember that information about you can still be subpoenaed, including what numbers your number has contacted, so you might want to get creative about how you sign up for WhatsApp in the first place if you’re looking to stay as anonymous as possible. And, yes, that’s “anonymous as possible,” since it never feels like you’re truly anonymous when you’re using someone else’s service.

Do people not always set their encrypted messages to delete? Serious question. When I discuss sensitive political topics with friends, I always send them on Facebook Messenger secret conversations set to delete in 24 hrs. I mostly do this because, while I have political opinions, I can definitely imagine a world where the government trawls through your old message histories and punishes dissidents. So I see no reason to have a history of my political opinions that might be out of favor in the future. Considering that setting it to delete is maybe 2 taps and has no real downsides, why wouldn’t everyone just do that? Screenshots can be easily faked so I’m not sure why anyone would put stock in them. Actual records are a different matter.

The word anonymous means that your identity is obfuscated. Signal is inherently not anonymous since it’s tied to your phone number. I think the word your looking for is secure or encrypted where the content of the message is obfuscated. Important distinction.

There are legitimate reasons to want to communicate securely. I work with healthcare data. Sometimes I need to communicate this or that about such and such sensitive thing for business reasons and that could compromise people’s privacy, identity, or worse. I would counter: If you are gonna be shady, don’t be stupid.

Encryption is literally a piece of mind for the user and said company that made the app. That’s it. There are a million ways around it and I think it’s silly to even think you’re protected beyond the company seeing your messages. You know what the most secure way of taking is? Face to face. Because even if they do record, majority of cities/countries require that both parties are aware. Or else, it’s not legal. Just don’t do it. Plain and simple. Even if it is legit.